From d1ec2e050c6913534b014d64e1c6484361d34e8b02b4fe8273a9ec5b4c49bbeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Lie?= Date: Tue, 20 Jun 2017 16:43:46 +0000 Subject: [PATCH] Accepting request 505069 from home:alarrosa:branches:GNOME:Factory - Add 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch to fix a segfault when using >4GB images since int values were used for pointer operations (bsc#1007255, fdo#98165, CVE-2016-9082). OBS-URL: https://build.opensuse.org/request/show/505069 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/cairo?expand=0&rev=121 --- ...nt-invalid-ptr-access-for-4GB-images.patch | 122 ++++++++++++++++++ cairo.changes | 7 + cairo.spec | 3 + 3 files changed, 132 insertions(+) create mode 100644 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch diff --git a/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch b/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch new file mode 100644 index 0000000..ae4804b --- /dev/null +++ b/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch @@ -0,0 +1,122 @@ +From c812d1c1935cccf096a60ad904e640fdc83bd41c Mon Sep 17 00:00:00 2001 +From: Adrian Johnson +Date: Thu, 20 Oct 2016 21:12:30 +1030 +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images + +Image data is often accessed using: + + image->data + y * image->stride + +On 64-bit achitectures if the image data is > 4GB, this computation +will overflow since both y and stride are 32-bit types. + +https://bugs.freedesktop.org/show_bug.cgi?id=98165 +--- + boilerplate/cairo-boilerplate.c | 4 +++- + src/cairo-image-compositor.c | 4 ++-- + src/cairo-image-surface-private.h | 2 +- + src/cairo-mesh-pattern-rasterizer.c | 2 +- + src/cairo-png.c | 2 +- + src/cairo-script-surface.c | 3 ++- + 6 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c +index 7fdbf79..4804dea 100644 +--- a/boilerplate/cairo-boilerplate.c ++++ b/boilerplate/cairo-boilerplate.c +@@ -42,6 +42,7 @@ + #undef CAIRO_VERSION_H + #include "../cairo-version.h" + ++#include + #include + #include + #include +@@ -976,7 +977,8 @@ cairo_surface_t * + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file) + { + char format; +- int width, height, stride; ++ int width, height; ++ ptrdiff_t stride; + int x, y; + unsigned char *data; + cairo_surface_t *image = NULL; +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 48072f8..3ca0006 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer { + pixman_image_t *src, *mask; + union { + struct fill { +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + uint32_t pixel; + } fill; +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer { + struct finish { + cairo_rectangle_int_t extents; + int src_x, src_y; +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + } mask; + } u; +diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h +index 8ca694c..7e78d61 100644 +--- a/src/cairo-image-surface-private.h ++++ b/src/cairo-image-surface-private.h +@@ -71,7 +71,7 @@ struct _cairo_image_surface { + + int width; + int height; +- int stride; ++ ptrdiff_t stride; + int depth; + + unsigned owns_data : 1; +diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c +index 1b63ca8..e7f0db6 100644 +--- a/src/cairo-mesh-pattern-rasterizer.c ++++ b/src/cairo-mesh-pattern-rasterizer.c +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride, + tg += tg >> 16; + tb += tb >> 16; + +- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) | ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) | + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24); + } + } +diff --git a/src/cairo-png.c b/src/cairo-png.c +index 562b743..aa8c227 100644 +--- a/src/cairo-png.c ++++ b/src/cairo-png.c +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure) + } + + for (i = 0; i < png_height; i++) +- row_pointers[i] = &data[i * stride]; ++ row_pointers[i] = &data[i * (ptrdiff_t)stride]; + + png_read_image (png, row_pointers); + png_read_end (png, info); +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c +index ea0117d..91e4baa 100644 +--- a/src/cairo-script-surface.c ++++ b/src/cairo-script-surface.c +@@ -1202,7 +1202,8 @@ static cairo_status_t + _write_image_surface (cairo_output_stream_t *output, + const cairo_image_surface_t *image) + { +- int stride, row, width; ++ int row, width; ++ ptrdiff_t stride; + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE]; + uint8_t *rowdata; + uint8_t *data; +-- +2.1.4 + diff --git a/cairo.changes b/cairo.changes index b4a3e5c..2f99ffd 100644 --- a/cairo.changes +++ b/cairo.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jun 20 11:20:29 UTC 2017 - alarrosa@suse.com + +- Add 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch to + fix a segfault when using >4GB images since int values were used + for pointer operations (bsc#1007255, fdo#98165, CVE-2016-9082). + ------------------------------------------------------------------- Fri Jun 16 19:11:41 UTC 2017 - zaitor@opensuse.org diff --git a/cairo.spec b/cairo.spec index c8cf745..4bf5f74 100644 --- a/cairo.spec +++ b/cairo.spec @@ -33,6 +33,8 @@ Patch0: cairo-xlib-endianness.patch Patch1: cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff # PATCH-FIX-UPSTREAM cairo-fix-off-by-one-check.patch fdo#101427 zaitor@opensuse.org -- Fix off by one check in cairo-image-info.c Patch2: cairo-fix-off-by-one-check.patch +# PATCH-FIX-UPSTREAM 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch alarrosa@suse.com -- Fix segfault when using >4GB images +Patch3: 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch BuildRequires: gtk-doc BuildRequires: pkg-config BuildRequires: pkgconfig(fontconfig) @@ -141,6 +143,7 @@ cairo. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %configure \